While making a few changes to my lab network, I revised one of my IPMI user passwords and inadvertently locked myself out of that account. While the management interface was happy to accept the new password without error, it was beyond the 19 character limit and all attempts to login with the new, correct password were denied.

To solve this issue, I turned to a utility from Supermicro called IPMICFG which is available from the Supermicro ftp site and supports BMCs which support the IPMI v2.0 spec. This program can be used to query the BMC for information and can also be used for management. In this case user management.

After downloading the file and confirming the checksum, extract the zip archive and find the correct executable/script for your machine. In my case, this was 64-bit Debian Linux. A user manual is included in the zip archive and can also be downloaded from the ftp site. For Linux, they only cite RHEL and CentOS in the documentation but I have not encountered issues running from a Debian machine.

My initial thought was that the BMC might be referencing the old password so I started with a cold reset using the following command:

./IPMICFG-Linux.x86_64 -r

After the reset, my login attempts were still being denied so I moved on to a password reset for the afflicted user account.

To reset a password, first check the list of user accounts and confirm the user id, then run the set password command.

On a 64-bit Linux system that would be:

./IPMICFG-Linux.x86_64 -user list

Followed by:

./IPMICFG-Linux.x86_64 -user setpwd user_id password

Following those commands, your new password for the specified user_id should have been written over the old password. Assuming you follow the IPMI user password constraints, you will be able to log back into that user account.

—– TL;DR —–

Just because a program accepts your input with no error messages, doesn’t mean you followed the correct input guidelines. Always check the docs and if you’re writing a program, add verificiation checks to you code.

—– TS;WM? (Too short; wanted more) —–

Reasoning behind the 19 character limit on IPMI passwords

I read through the Supermicro documentation for IPMI and only found reference to password length in the X9 SMM IPMI rev 1.0 User’s Guide document. The user guide pdf is under the Resources section on the right of the Supermicro IPMI site (WARNING - that link leads to an End User Agreement pop-up which displays the pdf once accepted). Section 2.5.17.a does mention password criteria; 8-20 characters with no white space. If you review the X10 and X11 manuals, neither has reference to a character limit. At least not one that I’ve been able to find anyway.

Finding little information on the Supermicro site, I reviewed the IPMI v2.0 Revision 1.0 Specification document from Intel (document embedded on site, also downloadable). Section 22.30 of that document covers the setting of user passwords which sheds more light on the requirements for passwords. It explicitly states the following constraints for user passwords:

  1. Can be 16 or 20 bytes in length
  2. Encoded as null-terminated ASCII
  3. Full 0-255 values available for use in each byte (So, extended ASCII character set accessible)
  4. Software providers working with this specification can place additional constraints on password creation

In either case, from what I gleaned, it seems we lose one byte (ASCII character) in our IPMI user passwords so a 16 byte password could really only be 15 characters and a 20 byte password could only be 19 characters, with the final byte marked null to terminate the string.

References:

Supermicro IMPI Resources Page and X9 SMM IPMI User’s Guide
Intel IPMI v2.0 Rev1.0 Specification